A novel runtime technique for identifying malicious applications

Similar documents
The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

Romain Thomas - Static instrumentation based on executable file formats

MOBILE DEFEND. Powering Robust Mobile Security Solutions

Next Generation Endpoint Security Confused?

Manual Removal Norton Internet Security Won't Open Or

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Hackveda Training - Ethical Hacking, Networking & Security

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Legal Informatics, Privacy and Cyber Crime

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

Windows 7 Disable Changing Proxy Settings Registry

Android Analysis Tools. Yuan Tian

SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING

Mobile Devices prioritize User Experience

Advances in Linux process forensics with ECFS

Breaking and Securing Mobile Apps

crush malware that hasn't even been seen before. Alright, so not really like traditional antivirus. Cleans an already infected Mac, 14- day Premium

Coordinated Disclosure of Vulnerabilities in McAfee Security Android

Becoming the Adversary

Coordinated Disclosure of Vulnerabilities in AVG Antivirus Free Android

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

At a Glance: Symantec Security.cloud vs Microsoft O365 E3

Next Generation Enduser Protection

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Reverse Engineering Swift Apps. Michael Gianarakis Rootcon X 2016

McAfee Advanced Threat Defense

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Symantec Ransomware Protection

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

Sandboxing and the SOC

VirtualSwindle: An Automated Attack Against In-App Billing on Android

ID: Sample Name: YNtbLvNHuo Cookbook: defaultandroidfilecookbook.jbs Time: 14:44:34 Date: 12/01/2018 Version:

Sophos Central Admin. help

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes

Maximum Security with Minimum Impact : Going Beyond Next Gen

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

FP7 NEMESYS Project: Advances on Mobile Network Security

PROTOTYPING AND REVERSE ENGINEERING WITH FRIDA BSIDES LONDON 2017 JAHMEL HARRIS

Stripping the Malware Threat Out of PowerShell with ensilo. Whitepaper. March

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Forensic Network Analysis in the Time of APTs

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

AT&T Endpoint Security

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones

Mobile hacking. Marit Iren Rognli Tokle

Certified Ethical Hacker (CEH)

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Synchronized Security

droidcon Greece Thessaloniki September 2015

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

OPSWAT Metadefender. Superior Malware Threat Prevention and Analysis

ID: Sample Name: com.cleanmaster.mguard_ apk Cookbook: defaultandroidfilecookbook.jbs Time: 18:32:59 Date: 27/02/2018 Version: 22.0.

Certified Secure Web Application Engineer

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Curso: Ethical Hacking and Countermeasures

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

An introduction to the Katsuni theorem and its application to sandboxing and software emulation. Jonathan Brossard (Toucan System)

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

The Android security jungle: pitfalls, threats and survival tips. Scott

OWASP AppSensor, The Future of Application Security

Malware

How to secure your mobile application with RASP

Hacker Explains Privilege Escalation: How Hackers Get Elevated Permissions

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

How To Remove Security Shield 2012 Virus Manually

Lastline Breach Detection Platform

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Chapter 6: IPS. CCNA Security Workbook

South Korea Cyber-attack Heightens Changes in Threat Landscape. Richard Sheng Sr. Director, Enterprise Security, Asia Pacific

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Cracked BitDefender Client Security 2 Years 20 PCs lowest price software ]

Advanced Diploma on Information Security

Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal

Building a Threat-Based Cyber Team

On Mobile Malware Infections N. Asokan

Free Download BitDefender Client Security 1 Year 50 PCs softwares download ]

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Deliver Strong Mobile App Security and the Ultimate User Experience

OS Security IV: Virtualization and Trusted Computing

Remove Manually Norton Internet Security 2012 Will Not Start

The Rise and Fall of

Getting Started Guide. This document provides step-by-step instructions for installing Max Secure Anti-Virus and its prerequisite software.

Massive Attack WannaCry Update and Prevention. Eric Kwok KL.CSE

Building Resilience in a Digital Enterprise

Cannot Uninstall Mcafee Agent Because Other

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Protection Against Malware. Alan German Ottawa PC Users Group

Symantec Endpoint Protection

Android Malware: they divide, we conquer

Enabling AMP on Content Security Products (ESA/WSA) November 2016 Version 2.0. Bill Yazji

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

Detecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll

Transcription:

HUNTING ANDROID MALWARE A novel runtime technique for identifying malicious applications

WHOAMI @brompwnie

THANK YOU SensePost Heroku

OUTLINE The... Problem Question Idea PoC Results Conclusion

THE PROBLEM Android malware has and is a constant threat in the Android Ecosystem

THE QUESTION July 2017 at a conference...in Las Vegas...

THE QUESTION "How do I protect myself from these kind of attacks?" We have to look at the APK Statically In a sandbox

CURRENT TECHNIQUES We look at malware in a few ways Hashes Code Signatures Permissions Reputation Behavior

CURRENT DEFENCES Google Play Protect Google Playstore Third-party So ware Anti-virus MDM,MAM,MOM,MMM,...

FRUSTRATIONS Static Analysis is hard Can't run Cuckoo on my phone Scalability What if the application isn't on the App Store Bypassing AV is too easy

THE FRUSTRATION No reliable way to detect malware on devices

THE IDEA But there's HEAPS of data... Android apps make use of Objects Import statements are useful BUT You can import but not instantiate If it's instantiated,it's probably being used Instantiated objects have data(some)

/PROC//MAPS? /PROC//MEM? DUMP.HPROF?

THE IDEA Instrumentation Objects on the HEAP Trace calls and behaviour Recent Developments made it easier(for me) Great way to gain insight into applications Extremely Powerful Runtime is the best action https://www.frida.re/

THE IDEA Wouldn't it be cool if at runtime I could see: Which objects are instantiated What are the values for these objects

THE IDEA This would give me an idea as to WHAT an app is doing and HOW

THE IDEA For example, analysing an app with a meterpreter backdoor: Experience tells me to look for: DexClassLoader TCP Connection Which tells me that this app is Injecting code at runtime Communicating remotely

DEMO: BASIC MALWARE INFECTION

DEMO: BASIC RUNTIME MALWARE ANALYSIS

HOW DOES IT WORK WITH OTHER APPS?

STATIC VS RUNTIME What static analysis won't show Runtime Injection Class Loaders What if you don't have the injected JAR/APK /data/data/com.app.sandbox Java.Lang Runtime.exec("/bin/sh") No Import Statements Instantiated but kinda immutable

DEMO: WHAT STATIC CAN'T SHOW YOU

HEAPS OF LOVE Don't have to trawl code Identify specific anomalies

HEAPS OF FRUSTRATION java.lang.runtime Kind of immutable? exec("/system/bin/ps") Does not have much of a footprint

HEAPS OF FRUSTRATION Whats the plan? What is fundemental to objects? We can hook methods i.e Runtime.getRuntime().exec("/bin/sh") How? Overload with Frida Not just looking at object state Object behaviour

HEAPS OF FRUSTRATION Whats the plan?

DEMO: OVERLOAD 'DEM METHODS

SNAPSHOT We have the ability to: Analyse objects on the HEAP Hook methods for certain objects Perform this at runtime on a device See more than static analysis Perform the above from a workstation

A SOLUTION: SAFETYNET ATTESTATION API The SafetyNet Attestation API helps you assess the security and compatibility of the Android environments in which your apps run. You can use this API to analyze devices that have installed your app.

A SOLUTION: SAFETYNET ATTESTATION API

A SOLUTION: UITKYK You can use this API to analyze applications that are installed on a Android device Custom Android Frida Library DBUS over TCP Frida Server Integration Can run all the previously demo'd tests And more!

A SOLUTION: UITKYK API Hey Frida, give me running processes

A SOLUTION: UITKYK API Hey Android, give me running processes

A SOLUTION: UITKYK API Hey Frida, tell me if this application looks malicious

A SOLUTION: UITKYK API Hey Android, tell me if this application looks malicious

A SOLUTION: UITKYK API

WHY UITKYK API? No Android Frida Library Wanted to use Frida Wanted a Client Server Model Didn't want pain

HOW DOES UITKYK, UITKYK? TCP Socket to Daemon Push and Pull Bytes Sniffed Frida sessions Outlined TCP Flags Identified key bytes (trial and error) Stared at my monitor Wash,rinse,repeat

ORIGINAL PYTHON POC

DEMO: UITKYK

UITKYK Library github.com/brompwnie/uitkyk Blogpost/s brompwnie.github.io Frida Scripts github.com/brompwnie/uitkyk Videos https://goo.gl/k6bnbq

SHORTCOMINGS Increased Attack Surface Abuse(duh) We are still struggling to get basic security right

CONCLUSION It's a journey Uitkyk is a step in the right direction No Silver Bullet Defense In Depth Android OS is key to protecting itself

QUESTIONS?

DANKE!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback